GDPR and SSL certificate. Is encryption necessary for compliance with the GDPR?

18-05-2018 15:47:40

General Data Protection Regulation (GDPR) is a 99-article regulation meant to protect the private data of Europeans in IT systems. Announced in 2016, covers a broad variety of topics and will go into effect as a requirement on May 25, 2018. GDPR applies to any company doing business in Europe even if it is located elsewhere.

GDPR has clear requirements that can only be addressed through the use of SSL certificates, though it does not contain any specific section on the use of SSL. Article 32 of the regulation ("Security") begins this way:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

the pseudonymisation and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; [...]

In other words, GDPR states that regulated information must be protected with "appropriate technical and organisational measures," including encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services.

If you're putting all your site pages under https and using certificates to authenticate and encrypt communications between internal systems, you're meeting the GDPR requirements for that component of data protection. And if you're not, you should be doing so anyway in order to protect your customers, protect your own business, and save yourself from unprecedented penalties of up to 20 million Euro.

Mensajes recientes

If you run a online business, you are sure to use Google AdWords. Perhaps this is one of the main traffic sources on your site, so the last message you want to see is "Your account has been suspended ...". And yet, you can expect it if your site is not SSL-secured.

Starting 1st of August 2016, Comodo and DomenySSL will no longer offer SGC variants of certificates. As your account has a valid SGC certificate which will be up for renewal in the future, the company has prepared a list of recommended alternatives.